LAWS OF MALAYSIA

Document Sample
LAWS OF MALAYSIA Powered By Docstoc
					                     Digital Signature                         1




    LAWS OF MALAYSIA
                          REPRINT



                         Act 562

DIGITAL SIGNATURE ACT 1997
 Incorporating all amendments up to 1 January 2006




                           PUBLISHED BY
           THE COMMISSIONER OF LAW REVISION, MALAYSIA
        UNDER THE AUTHORITY OF THE REVISION OF LAWS ACT 1968
                      IN COLLABORATION WITH
                PERCETAKAN NASIONAL MALAYSIA BHD
                               2006
2




             DIGITAL SIGNATURE ACT 1997


Date of Royal Assent        …         ...         ...         ...         ...     18 June 1997

Date of publication in the Gazette ...                        ...         ...     30 June 1997




                          PREVIOUS REPRINT

          First Reprint   ...   ...         ...         ...         ...         2002
                                                                       3
                           LAWS OF MALAYSIA


                                      Act 562


                   DIGITAL SIGNATURE ACT 1997



                       ARRANGEMENT OF SECTIONS



                                        P ART I

                                  PRELIMINARY

Section

  1.      Short title and commencement
  2.      Interpretation


                                        P ART II

               THE COMMISSION AND THE LICENSING OF
                    CERTIFICATION AUTHORITIES

   3.     Appointment of Commission
   4.     Certification authorities to be licensed
   5.     Qualifications of certification authorities
   6.     Functions of licensed certification authorities
   7.     Application for licence
   8.     Grant or refusal of licence
   9.     Revocation of licence
 10.      Appeal
 11.      Surrender of licence
 12.      Effect of revocation, surrender or expiry of licence
 13.      Effect of lack of licence
 14.      Return of licence
 15.      Restricted licence
 16.      Restriction on use of expression “certification authority”
4                              Laws of Malaysia                         ACT 562
Section

    17.   Renewal of licence
    18.   Lost licence
    19.   Recognition of other licences
    20.   Performance audit
    21.   Exemption from performance audit


                                     P ART III

             REQUIREMENTS OF LICENSED CERTIFICATION
                          AUTHORITIES

    22.   Activities of licensed certification authorities
    23.   Requirement to display licence
    24.   Requirement to submit information and particulars relating to business
          operations
    25.   Notification of change of information
    26.   Requirements as to advertisement


                                     PART IV

          DUTIES OF LICENSED CERTIFICATION AUTHORITIES
                        AND SUBSCRIBERS


                                    CHAPTER 1

                GENERAL REQUIREMENTS FOR LICENSED
                    CERTIFICATION AUTHORITIES

    27.   Use of trustworthy systems
    28.   Disclosures on inquiry
    29.   Prerequisites to issuance of certificate to subscriber
    30.   Publication of issued and accepted certificate
    31.   Adoption of more rigorous requirements permitted
    32.   Suspension or revocation of certificate for faulty issuance
    33.   Suspension or revocation of certificate by order
                               Digital Signature                                  5
                                     CHAPTER 2

             WARRANTIES AND OBLIGATIONS OF LICENSED
                   CERTIFICATION AUTHORITIES

Section

 34.      Warranties to subscriber
 35.      Continuing obligations to subscriber
 36.      Representations upon issuance
 37.      Representations upon publication


                                     CHAPTER 3

          REPRESENTATIONS AND DUTIES UPON ACCEPTANCE
                        OF CERTIFICATE

 38.      Implied representations by subscriber
 39.      Representations by agent of subscriber
 40.      Disclaimer or indemnity limited
 41.      Indemnification of licensed certification authority by subscriber
 42.      Certification of accuracy of information given


                                     CHAPTER 4

                         CONTROL OF PRIVATE KEY

 43.      Duty of subscriber to keep private key secure
 44.      Property in private key
 45.      Licensed certification authority to be fiduciary if holding subscriber’s
          private key


                                     CHAPTER 5

                       SUSPENSION OF CERTIFICATE

 46.      Suspension of certificate by issuing licensed certification authority
 47.      Suspension of certificate by Commission or court
 48.      Notice of suspension
6                              Laws of Malaysia                        ACT 562
Section

    49.   Termination of suspension initiated by request
    50.   Alternate contractual procedures
    51.   Prohibition against false or unauthorized request for suspension of
          certificate
    52.   Effect of suspension of certificate
                                      CHAPTER 6

                       REVOCATION OF CERTIFICATE

    53.   Revocation on request
    54.   Revocation on subscriber’s death or dissolution
    55.   Revocation of unreliable certificates
    56.   Notice of revocation
    57.   Effect of revocation request on subscriber
    58.   Effect of notification on licensed certification authority


                                      CHAPTER 7

                        EXPIRATION OF CERTIFICATE

    59.   Expiration of certificate


                                      CHAPTER 8

          RECOMMENDED RELIANCE LIMITS AND LIABILITY

    60.   Recommended reliance limit
    61.   Liability limits for licensed certification authorities


                                       PART V

                      EFFECT OF DIGITAL SIGNATURE

    62.   Satisfaction of signature requirements
    63.   Unreliable digital signatures
    64.   Digitally signed message deemed to be written document
    65.   Digitally signed message deemed to be original document
    66.   Authentication of digital signatures
    67.   Presumptions in adjudicating disputes
                               Digital Signature                       7
                                      PART VI

            REPOSITORIES AND DATE/TIME STAMP SERVICES

Section

 68.      Recognition of repositories
 69.      Liability of repositories
 70.      Recognition of date/time stamp services


                                      PART VII

                                      GENERAL

 71.      Prohibition against dangerous activities
 72.      Obligation of secrecy
 73.      False information
 74.      Offences by body corporate
 75.      Authorized officer
 75 A. Enforcement by police officers
 76.      Power to investigate
 77.      Search by warrant
 78.      Search and seizure without warrant
 79.      Access to computerized data
 80.      List of things seized
 81.      Obstruction of authorized officer
 82.      Additional powers
 83.      General penalty
 84.      Recovery of procedural costs
 85.      No costs or damages arising from seizure to be recoverable
 86.      Institution and conduct of prosecution
 87.      Jurisdiction to try offences
 88.      Protection of Commission and officers
 89.      Power to exempt
 90.      Limitation on disclaiming or limiting application of Act
 91.      Regulations
 92.      Savings and transitional
8   Laws of Malaysia   ACT 562
                          Digital Signature                             9
                      LAWS OF MALAYSIA


                               Act 562


               DIGITAL SIGNATURE ACT 1997


An Act to make provision for, and to regulate the use of, digital
signatures and to provide for matters connected therewith.

                              [1 October 1998, P.U. (B) 397/1998]

BE IT ENACTED by the Seri Paduka Baginda Yang di-Pertuan
Agong with the advice and consent of the Dewan Negara and
Dewan Rakyat in Parliament assembled, and by the authority of
the same, as follows:

                                PART I
                           PRELIMINARY

Short title and commencement

1. This Act may be cited as the Digital Signature Act 1997 and
shall come into force on a date to be appointed by the Minister
by notification in the Gazette, and the Minister may appoint different
dates for different provisions of this Act.

Interpretation

2. (1) In this Act, unless the context otherwise requires—
  “accept a certificate” means—
     (a) to manifest approval of a certificate, while knowing or
         having notice of its contents; or
     (b) to apply to a licensed certification authority for a certificate,
         without revoking the application by delivering notice of
         the revocation to the licensed certification authority, and
         obtaining a signed, written receipt from the licensed
         certification authority, if the licensed certification authority
         subsequently issues a certificate based on the application;
10                                 Laws of Malaysia                                ACT 562
  “asymmetric cryptosystem” means an algorithm or series of
algorithms which provide a secure key pair;

  “authorized officer” means an officer authorized under section
75;

   “certificate” means a computer-based record which—
   (a) identifies the certification authority issuing it;
   (b) names or identifies its subscriber;
   (c) contains the subscriber’s public key; and
   (d) is digitally signed by the certification authority issuing it;

   “certification authority” means a person who issues a certificate;

  “certification authority disclosure record” means an on-line and
publicly accessible record which concerns a licensed certification
authority which is kept by the Commission under subsection 3(5);

  “certification practice statement” means a declaration of the
practices which a certification authority employs in issuing certificates
generally, or employed in issuing a particular certificate;

  “certify” means to declare with reference to a certificate, with
ample opportunity to reflect, and with a duty to apprise oneself
of all material facts;

  *“Commission” means the Malaysian Communications and
Multimedia Commission established under the Malaysian
Communications and Multimedia Commission Act 1998 [Act 589];

  “confirm” means to ascertain through diligent inquiry and
investigation;

  “correspond”, with reference to keys, means to belong to the
same key pair;

*NOTE—Upon the commencement of Act A1121, previous references to the Controller of
Certification Authorities (“Controller”) or any officer and servant appointed by the Controller,
shall be construed as references to the Commission or its authorized officer—see section 19 of
Act A1121.
                         Digital Signature                        11
  “digital signature” means a transformation of a message using
an asymmetric cryptosystem such that a person having the initial
message and the signer’s public key can accurately determine—
     (a) whether the transformation was created using the private
         key that corresponds to the signer’s public key; and
     (b) whether the message has been altered since the
         transformation was made;

  “forge a digital signature” means—
     (a) to create a digital signature without the authorization of
         the rightful holder of the private key; or
     (b) to create a digital signature verifiable by a certificate
         listing as subscriber a person who either does not exist
         or does not hold the private key corresponding to the
         public key listed in the certificate;

  “hold a private key” means to be able to utilize a private key;

  “incorporate by reference” means to make one message a part
of another message by identifying the message to be incorporated
and expressing the intention that it be incorporated;

  “issue a certificate” means the act of a certification authority in
creating a certificate and notifying the subscriber listed in the
certificate of the contents of the certificate;

  “key pair” means a private key and its corresponding public key
in an asymmetric cryptosystem, where the public key can verify
a digital signature that the private key creates;

   “licensed certification authority” means a certification authority
to whom a licence has been issued by the Commission and whose
licence is in effect;

  “message” means a digital representation of information;

  “notify” means to communicate a fact to another person in a
manner reasonably likely under the circumstances to impart
knowledge of the information to the other person;
12                       Laws of Malaysia                   ACT 562
  “person” means a natural person or a body of persons, corporate
or unincorporate, capable of signing a document, either legally or
as a matter of fact;

  “prescribed” means prescribed by or under this Act or any
regulations made under this Act;

   “private key” means the key of a key pair used to create a digital
signature;

   “public key” means the key of a key pair used to verify a digital
signature;

  “publish” means to record or file in a repository;

  “qualified certification authority” means a certification authority
that satisfies the requirements under section 5;

  “recipient” means a person who receives or has a digital signature
and is in a position to rely on it;

  “recognized date/time stamp service” means a date/time stamp
service recognized by the Commission under section 70;

  “recognized repository” means a repository recognized by the
Commission under section 68;

  “recommended reliance limit” means the monetary amount
recommended for reliance on a certificate under section 60;

  “repository” means a system for storing and retrieving certificates
and other information relevant to digital signatures;

  “revoke a certificate” means to make a certificate ineffective
permanently from a specified time forward;

  “rightfully hold a private key” means to be able to utilize a
private key—
     (a) which the holder or the holder’s agents have not disclosed
         to any person in contravention of this Act; and
     (b) which the holder has not obtained through theft, deceit,
         eavesdropping or other unlawful means;
                           Digital Signature                           13
  “subscriber” means a person who—
      (a) is the subject listed in a certificate;
      (b) accepts the certificate; and
      (c) holds a private key which corresponds to a public key
          listed in that certificate;

  “suspend a certificate” means to make a certificate ineffective
temporarily for a specified time forward;

  “this Act” includes any regulations made under this Act;

  “time-stamp” means—
      (a) to append or attach to a message, digital signature or
          certificate a digitally signed notation indicating at least
          the date, time and identity of the person appending or
          attaching the notation; or
      (b) the notation so appended or attached;

  “transactional certificate” means a certificate, incorporating by
reference one or more digital signatures, issued and valid for a
specific transaction;

 “trustworthy system” means computer hardware and software
which—
      (a) are reasonably secure from intrusion and misuse;
      (b) provide a reasonable level of availability, reliability and
          correct operation; and
      (c) are reasonably suited to performing their intended functions;

  “valid certificate” means a certificate which—
      (a) a licensed certification authority has issued;
      (b) has been accepted by the subscriber listed in it;
      (c) has not been revoked or suspended; and
      (d) has not expired:

  Provided that a transactional certificate is a valid certificate
only in relation to the digital signature incorporated in it by reference;
14                       Laws of Malaysia                    ACT 562
   “verify a digital signature” means, in relation to a given digital
signature, message and public key, to determine accurately that—
     (a) the digital signature was created by the private key
         corresponding to the public key; and
     (b) the message has not been altered since its digital signature
         was created;

  “writing” or “written” includes any handwriting, typewriting,
printing, electronic storage or transmission or any other method
of recording information or fixing information in a form capable
of being preserved.

  (2) For the purposes of this Act, a certificate shall be revoked
by making a notation to that effect on the certificate or by including
the certificate in a set of revoked certificates.

  (3) The revocation of a certificate does not mean that it is
destroyed or made illegible.


                               PART II

          THE COMMISSION AND THE LICENSING OF
               CERTIFICATION AUTHORITIES


Appointment of Commission

3. (1) The Commission shall be responsible for administering,
enforcing, carrying out and giving effect to the provisions of this
Act and shall exercise, discharge and perform the powers, duties
and functions under this Act for the purpose of monitoring and
overseeing the activities of certification authorities.

  (2) (Deleted by Act A1121).

  (3) (Deleted by Act A1121).

  (4) The Commission and its employees shall exercise their powers
under this Act subject to such directions as to general policy and
orders as may be given or made by the Minister.
                          Digital Signature                          15
   (5) The Commission shall maintain a publicly accessible data
base containing a certification authority disclosure record for each
licensed certification authority which shall contain all the particulars
required under the regulations made under this Act.

  (6) The Commission shall publish the contents of the data base
in at least one recognized repository.

Certification authorities to be licensed

4. (1) No person shall carry on or operate, or hold himself out as
carrying on or operating, as a certification authority unless that
person holds a valid licence issued under this Act.

   (2) A person who contravenes subsection (1) commits an offence
and shall, on conviction, be liable to a fine not exceeding five
hundred thousand ringgit or to imprisonment for a term not exceeding
ten years or to both, and in the case of a continuing offence shall
in addition be liable to a daily fine not exceeding five thousand
ringgit for each day the offence continues to be committed.

  (3) The Minister may, on an application in writing being made
in accordance with this Act, exempt—
     (a) a person operating as a certification authority within an
         organization where certificates and key pairs are issued
         to members of the organization for internal use only; and
     (b) such other person or class of persons as the Minister
         considers fit,

from the requirements of this section.

  (4) The Minister may delegate his powers under subsection (3)
to the Commission and such powers may be exercised by the
Commission in the name and on behalf of the Minister.

 (5) A delegation under subsection (4) shall not preclude the
Minister himself from exercising at any time the powers so delegated.

   (6) The liability limits specified in Chapter 8 of Part IV shall
not apply to an exempted certification authority and Part V shall
not apply in relation to a digital signature verified by a certificate
issued by an exempted certification authority.
16                         Laws of Malaysia                       ACT 562
Qualifications of certification authorities

5. (1) The Minister shall, by regulations made under this Act,
prescribe the qualification requirements for certification authorities.

  (2) The Minister may at any time vary or amend the qualification
requirements prescribed under subsection (1) provided that any
such variation or amendment shall not be applied to a certification
authority holding a valid licence under this Act until the expiry
of that licence.

Functions of licensed certification authorities

6. (1) The function of a licensed certification authority shall be
to issue a certificate to a subscriber upon application and upon
satisfaction of the licensed certification authority’s requirements
as to the identity of the subscriber to be listed in the certificate
and upon payment of the prescribed fees and charges.

  (2) The licensed certification authority shall, before issuing any
certificate under this Act, take all reasonable measures to check
for proper identification of the subscriber to be listed in the certificate.

   (3) The licensed certification authority shall, on the issuance of
any certificate under this Act, cause the application for the certificate
to be certified by a notary public duly appointed under the Notaries
Public Act 1959 [Act 115].

Application for licence

7. (1) An application for the grant of a licence under this Act
shall be made in writing to the Commission in such form as may
be prescribed.

  (2) Every application under subsection (1) shall be accompanied
by such documents or information as may be prescribed and the
Commission may, orally or in writing at any time after receiving
the application and before it is determined, require the applicant
to provide such additional documents or information as may be
considered necessary by the Commission for the purposes of
determining the suitability of the applicant for the licence.
                          Digital Signature                          17
   (3) Where any additional document or information required
under subsection (2) is not provided by the applicant within the
time specified in the requirement or any extension thereof granted
by the Commission, the application shall be deemed to be withdrawn
and shall not be further proceeded with, without prejudice to a
fresh application being made by the applicant.

Grant or refusal of licence

8. (1) The Commission shall, on an application having been duly
made in accordance with section 7 and after being provided with
all such documents and information as it may require, consider the
application, and where it is satisfied that the applicant is a qualified
certification authority and a suitable licensee, and upon payment
of the prescribed fee, grant the licence with or without conditions,
or refuse to grant a licence.

  (2) Every licence granted under subsection (1) shall set out the
duration of the licence and the licence number.

  (3) The terms and conditions imposed under the licence may at
any time be varied or amended by the Commission provided that
the licensee is given a reasonable opportunity of being heard.

  (4) Where the Commission refuses to grant a licence, it shall
immediately notify the applicant in writing of its refusal.

Revocation of licence

9. (1) The Commission may revoke a licence granted under section
8 if it is satisfied that—
     (a) the licensed certification authority has failed to comply
         with any obligation imposed upon it by or under this Act;
     (b) the licensed certification authority has contravened any
         condition imposed under the licence, any provision of
         this Act or any other written law, regardless that there has
         been no prosecution for an offence in respect of such
         contravention;
      (c) the licensed certification authority has, either in connection
          with the application for the licence or at any time after
          the grant of the licence, provided the Commission with
          false, misleading or inaccurate information or a document
18                        Laws of Malaysia                     ACT 562
         or declaration made by or on behalf of the licensed
         certification authority or by or on behalf of any person
         who is or is to be a director, controller or manager of the
         licensed certification authority which is false, misleading
         or inaccurate;
     (d) the licensed certification authority is carrying on its business
         in a manner which is prejudicial to the interest of the
         public or to the national economy;
     (e) the licensed certification authority has insufficient assets
         to meet its liabilities;
      (f) a winding up order has been made against the licensed
          certification authority or a resolution for its voluntary
          winding up has been passed;
     (g) the licensed certification authority or any of its officers
         holding a managerial or an executive position has been
         convicted of any offence involving dishonesty, fraud or
         moral turpitude;
     (h) the licensed certification authority or its director, controller
         or manager has been convicted of any offence under this
         Act; or
      (i) the licensed certification authority has ceased to be a
          qualified certification authority.

   (2) Before revoking a licence, the Commission shall give the
licensed certification authority a notice in writing of its intention
to do so and require the licensed certification authority to show
cause within a period specified in the notice as to why the licence
should not be revoked.

   (3) Where the Commission decides to revoke the licence, it
shall immediately inform the certification authority concerned of
its decision by a notice in writing.

  (4) The revocation of a licence shall take effect—
     (a) where there is no appeal against such revocation, on the
         expiration of fourteen days from the date on which the
         notice of revocation is served on the licensed certification
         authority; or
     (b) where there is an appeal against such revocation, when
         the revocation is confirmed by the Minister.
                          Digital Signature                          19
   (5) Where an appeal has been made against the revocation of
a licence, the certification authority whose licence has been so
revoked shall not issue any certificates until the appeal has been
disposed of and the revocation has been set aside by the Minister
but nothing in this subsection shall prevent the certification authority
from fulfilling its other obligations to its subscribers during such
period.

  (6) A person who contravenes subsection (5) commits an offence
and shall, on conviction, be liable to a fine not exceeding five
hundred thousand ringgit or to imprisonment for a term not exceeding
ten years or to both.

   (7) Where the revocation of a licence has taken effect, the
Commission shall, as soon as practicable, cause such revocation
to be published in the certification authority disclosure record that
it maintains for the certification authority concerned and advertised
in at least one national language and one English language national
daily newspaper for at least three consecutive days.

  (8) Any delay or failure in publishing or advertising such notice
of revocation shall not in any manner affect the validity of the
revocation.

Appeal
10. (1) Any person who is aggrieved by—
     (a) the refusal of the Commission to license any certification
         authority under section 8 or to renew any such licence
         under section 17; or
     (b) the revocation of any licence under section 9,

may appeal in writing to the Minister within fourteen days from
the date on which the notice of refusal or revocation is served on
that person.

  (2) The decision of the Minister under this section shall be final
and conclusive.

Surrender of licence
11. (1) A licensed certification authority may surrender its licence
by forwarding it to the Commission with a written notice of its
surrender.
20                         Laws of Malaysia                     ACT 562
  (2) The surrender shall take effect on the date the Commission
receives the licence and the notice under subsection (1), or where
a later date is specified in the notice, on that date.

   (3) The licensed certification authority shall, not later than fourteen
days after the date referred to in subsection (2), cause such surrender
to be published in the certification authority disclosure record of
the certification authority concerned and advertised in at least one
national language and one English language national daily newspaper
for at least three consecutive days.

Effect of revocation, surrender or expiry of licence

12. (1) Where the revocation of a licence under section 9 or its
surrender under section 11 has taken effect, or where the licence
has expired, the licensed certification authority shall immediately
cease to carry on or operate any business in respect of which the
licence was granted.

  (2) Notwithstanding subsection (1), the Minister may, on the
recommendation of the Commission, authorize the licensed
certification authority in writing to carry on its business for such
duration as the Minister may specify in the authorization for the
purpose of winding up its affairs.

   (3) Notwithstanding subsection (1), a licensed certification
authority whose licence has expired shall be entitled to carry on
its business as if its licence had not expired upon proof being
submitted to the Commission that the licensed certification authority
has applied for a renewal of the licence and that such application
is pending determination.

   (4) A person who contravenes subsection (1) commits an offence
and shall, on conviction, be liable to a fine not exceeding five
hundred thousand ringgit or to imprisonment for a term not exceeding
ten years or to both, and in the case of a continuing offence shall
in addition be liable to a daily fine not exceeding five thousand
ringgit for each day the offence continues to be committed.

  (5) Without prejudice to the Commission’s powers under section
33, the revocation of a licence under section 9 or its surrender
under section 11 or its expiry shall not affect the validity or effect
of any certificate issued by the certification authority concerned
before such revocation, surrender or expiry.
                          Digital Signature                          21
   (6) For the purposes of subsection (5), the Commission shall
appoint another licensed certification authority to take over the
certificates issued by the certification authority whose licence has
been revoked or surrendered or has expired and such certificates
shall, to the extent that they comply with the requirements of the
appointed licensed certification authority, be deemed to have been
issued by that licensed certification authority.

   (7) Nothing in subsection (6) shall preclude the appointed licensed
certification authority from requiring the subscriber to comply
with its requirements in relation to the issuance of certificates or
from issuing a new certificate to the subscriber for the unexpired
period of the original certificate provided that any additional fees
or charges to be imposed shall only be imposed with the prior
written approval of the Commission.

  (8) Where the Commission has appointed a licensed certification
authority to take over the certificates of a certification authority
under subsection (6), the certification authority shall pay to the
appointed licensed certification authority such part of the prescribed
fee paid by the subscribers to it as the Commission may determine.

Effect of lack of licence

13. (1) The liability limits specified in Chapter 8 of Part IV shall
not apply to unlicensed certification authorities.

  (2) Part V shall not apply in relation to a digital signature which
cannot be verified by a certificate issued by a licensed certification
authority.

   (3) In any other case, unless the parties expressly provide otherwise
by contract between themselves, the licensing requirements under
this Act shall not affect the effectiveness, enforceability or validity
of any digital signature.

Return of licence

14. (1) Where the revocation of a licence under section 9 has
taken effect, or where the licence has expired and no application
for its renewal has been submitted within the period specified or
where an application for renewal has been refused under section
17, the licensed certification authority shall within fourteen days
return the licence to the Commission.
22                        Laws of Malaysia                     ACT 562
   (2) A person who contravenes subsection (1) commits an offence
and shall, on conviction, be liable to a fine not exceeding five
hundred thousand ringgit or to imprisonment for a term not exceeding
ten years or to both, and in the case of a continuing offence shall
in addition be liable to a daily fine not exceeding five thousand
ringgit for each day the offence continues to be committed, and
the court shall retain the licence and forward it to the Commission.


Restricted licence

15. (1) The Commission may classify licences according to specified
limitations including—
     (a) maximum number of outstanding certificates;
     (b) cumulative maximum of recommended reliance limits in
         certificates issued by the licensed certification authority;
         and
      (c) issuance only within a single firm or organization.

  (2) The Commission may issue licences restricted according to
the limits of each classification.

  (3) A licensed certification authority that issues a certificate
exceeding the restrictions of its licence commits an offence.

   (4) Where a licensed certification authority issues a certificate
exceeding the restrictions of its licence, the liability limits specified
in Chapter 8 of Part IV shall not apply to the licensed certification
authority in relation to that certificate.

  (5) Nothing in subsection (3) or (4) shall affect the validity or
effect of the issued certificate.


Restriction on use of expression “certification authority”

16. Except with the written consent of the Commission, no person,
not being a licensed certification authority, shall assume or use the
expressions “certification authority” or “licensed certification
authority”, as the case may be, or any derivative of these expressions
                           Digital Signature                           23
in any language, or any other words in any language capable of
being construed as indicating the carrying on or operation of such
business, in relation to the business or any part of the business
carried on by such person, or make any representation to such
effect in any bill head, letter, paper, notice, advertisement or in any
other manner.


Renewal of licence

17. (1) Every licensed certification authority shall submit an
application to the Commission in such form as may be prescribed
for the renewal of its licence at least thirty, but not more than sixty,
days before the date of expiry of the licence and such application
shall be accompanied by such documents and information as may
be required by the Commission.

  (2) The prescribed fee shall be payable upon approval of the
application.

   (3) If any licensed certification authority has no intention of
renewing its licence, the licensed certification authority shall, at
least thirty days before the expiry of the licence, publish such
intention in the certification authority disclosure record of the
certification authority concerned and advertise such intention in at
least one national language and one English language national
daily newspaper for at least three consecutive days.

  (4) Without prejudice to any other grounds, the Commission
may refuse to renew a licence where the requirements of subsection
(1) have not been complied with.


Lost licence

18. (1) Where a licensed certification authority has lost its licence,
it shall immediately notify the Commission in writing of the loss.

   (2) The licensed certification authority shall, as soon as practicable,
submit an application for a replacement licence accompanied by
all such information and documents as may be required by the
Commission together with the prescribed fee.
24                                 Laws of Malaysia                                ACT 562
Recognition of other licences

19. (1) The Commission may recognize, by order published in
the Gazette, certification authorities licensed or otherwise authorized
by governmental entities outside Malaysia that satisfy the prescribed
requirements.

  (2) Where a licence or other authorization of a governmental
entity is recognized under subsection (1),—
       (a) the recommended reliance limit, if any, specified in a
           certificate issued by the certification authority licensed
           or otherwise authorized by the governmental entity shall
           have effect in the same manner as a recommended reliance
           limit specified in a certificate issued by a licensed
           certification authority of Malaysia; and
       (b) Part V shall apply to the certificates issued by the
           certification authority licensed or otherwise authorized
           by the governmental entity in the same manner as it
           applies to a certificate issued by a licensed certification
           authority of Malaysia.

Performance audit

*20. (1) The operations of a licensed certification authority shall
be audited a least once a year to evaluate its compliance with this
Act.

  (2) The audit shall be carried out by a certified public accountant
having expertise in computer security or by an accredited computer
security professional.

  (3) The qualifications of the auditors and the procedure for an
audit shall be as may be prescribed by regulations made under this
Act.

  (4) The Commission shall publish in the certification authority
disclosure record that it maintains for the licensed certification
authority concerned the date and result of the audit.

*NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the
purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also
known as “RENTAS”—see P.U. (A) 300/1999.
                           Digital Signature                            25
Exemption from performance audit

21. (1) The Commission may exempt a licensed certification
authority from the requirements of section 20 if—
      (a) the licensed certification authority requests in writing for
          exemption;
      (b) the most recent performance audit, if any, of the licensed
          certification authority resulted in a finding of full or
          substantial compliance with this Act; and
      (c) the licensed certification authority declares under oath or
          affirmation that one or more of the following is true with
          respect to the licensed certification authority:
             (i) the licensed certification authority has issued fewer
                 than six certificates during the past year and the
                 total of the recommended reliance limits of all such
                 certificates does not exceed twenty-five thousand
                 ringgit;
            (ii) the aggregate lifetime of all certificates issued by
                 the licensed certification authority during the past
                 year is less than thirty days and the total of the
                 recommended reliance limits of all such certificates
                 does not exceed twenty-five thousand ringgit;
           (iii) the recommended reliance limits of all certificates
                 outstanding an issued by the licensed certification
                 authority total less than two thousand five hundred
                 ringgit.

  (2) Where the licensed certification authority’s declaration under
paragraph (1)(c) falsely states a material fact, the licensed certification
authority shall be deemed to have failed to comply with the
performance audit requirement under section 20.

  (3) Where a licensed certification authority is exempted under
subsection (1), the Commission shall publish in the certification
authority disclosure record that it maintains for the licensed
certification authority concerned a statement that the licensed
certification authority is exempted from the performance audit
requirement under section 20.
26                                 Laws of Malaysia                                ACT 562
                                          PART III
           REQUIREMENTS OF LICENSED CERTIFICATION
                        AUTHORITIES

Activities of licensed certification authorities

22. (1) A licensed certification authority shall only carry on such
activities as may be specified in its licence.

   (2) A licensed certification authority shall carry on its activities
in accordance with this Act and any regulations made under this
Act.

Requirement to display licence

23. A licensed certification authority shall at all times display its
licence in a conspicuous place at its place of business.

Requirement to submit information and particulars relating to
business operations

*24. (1) A licensed certification authority shall submit to the
Commission such information and particulars including financial
statements, audited balance sheets and profit and loss accounts
relating to its entire business operations as may be required by the
Commission within such time as it may determine.

   (2) A person who contravenes subsection (1) commits an offence
and shall, on conviction, be liable to a fine not exceeding one
hundred thousand ringgit or to imprisonment for a term not exceeding
two years or to both, and in the case of a continuing offence shall
in addition be liable to a daily fine not exceeding two thousand
ringgit for each day the offence continues to be committed.

Notification of change of information

*25. (1) Every licensed certification authority shall, before making
any amendment or alteration to any of its constituent documents,
or before any change in its director or chief executive officer,
furnish the Commission particulars in writing of any such proposed
amendment, alteration or change.
*NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the
purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also
known as “RENTAS”—see P.U. (A) 300/1999.
                          Digital Signature                           27
  (2) Every licensed certification authority shall immediately notify
the Commission of any amendment or alteration to any information
or document which has been furnished to the Commission in
connection with the licence.

Requirements as to advertisement

26. A licensed certification authority shall not publish, whether
in a newspaper, brochure or otherwise, any advertisement or
information relating to or in connection with the business of a
certification authority without including—
     (a) the licence number;
     (b) the business name under which it carries on business and
         the address at which such business is carried on; and
     (c) any other particulars relating to any services offered as
         the Commission considers necessary.


                               PART IV

     DUTIES OF LICENSED CERTIFICATION AUTHORITIES
                   AND SUBSCRIBERS

                             CHAPTER 1

                General requirements for licensed
                    certification authorities

Use of trustworthy systems

27. (1) A licensed certification authority shall only use a trustworthy
system—
     (a) to issue, suspend or revoke a certificate;
     (b) to publish or give notice of the issuance, suspension or
         revocation of a certificate; and
     (c) to create a private key, whether for itself or for a subscriber.

  (2) A subscriber shall only use a trustworthy system to create
a private key.
28                         Laws of Malaysia                     ACT 562
Disclosures on inquiry

28. (1) A licensed certification authority shall, on an inquiry being
made to it under this Act, disclose any material certification practice
statement and any fact material to either the reliability of a certificate
which it has issued or its ability to perform its services.

  (2) A licensed certification authority may require a signed, written
and reasonably specific inquiry from an identified person, and
payment of the prescribed fee, as conditions precedent to effecting
a disclosure required under subsection (1).

Prerequisites to issuance of certificate to subscriber

29. (1) A licensed certification authority may issue a certificate
to a subscriber only after all of the following conditions are satisfied:
      (a) the licensed certification authority has received a request
          for issuance signed by the prospective subscriber; and
      (b) the licensed certification authority has confirmed that—
             (i) the prospective subscriber is the person to be listed
                 in the certificate to be issued;
            (ii) if the prospective subscriber is acting through one
                 or more agents, the subscriber duly authorized the
                 agent or agents to have custody of the subscriber’s
                 private key and to request issuance of a certificate
                 listing the corresponding public key;
           (iii) the information in the certificate to be issued is
                 accurate;
           (iv) the prospective subscriber rightfully holds the private
                key corresponding to the public key to be listed in
                the certificate;
            (v) the prospective subscriber holds a private key capable
                of creating a digital signature; and
           (vi) the public key to be listed in the certificate can be
                used to verify a digital signature affixed by the
                private key held by the prospective subscriber.

  (2) The requirements of subsection (l) shall not be waived or
disclaimed by the licensed certification authority, the subscriber,
or both.
                         Digital Signature                         29
Publication of issued and accepted certificate
30. (1) Where the subscriber accepts the issued certificate, the
licensed certification authority shall publish a signed copy of the
certificate in a recognized repository, as the licensed certification
authority and the subscriber named in the certificate may agree,
unless a contract between the licensed certification authority and
the subscriber provides otherwise.

  (2) Where the subscriber does not accept the certificate, a licensed
certification authority shall not publish it, or shall cancel its
publication if the certificate has already been published.

Adoption of more rigorous requirements permitted
31. Nothing in sections 29 and 30 shall preclude a licensed
certification authority from conforming to standards, certification
practice statements, security plans or contractual requirements more
rigorous than, but nevertheless consistent with, this Act.

Suspension or revocation of certificate for faulty issuance
32. (1) Where after issuing a certificate a licensed certification
authority confirms that it was not issued in accordance with sections
29 and 30, the licensed certification authority shall immediately
revoke it.

  (2) A licensed certification authority may suspend a certificate
which it has issued for a reasonable period not exceeding
forty-eight hours as may be necessary for an investigation to be
carried out to confirm the grounds for a revocation under
subsection (1).

  (3) The licensed certification authority shall immediately notify
the subscriber of a revocation or suspension under this section.

Suspension or revocation of certificate by order
33. (1) The Commission may order the licensed certification
authority to suspend or revoke a certificate issued by it where the
Commission determines that—
     (a) the certificate was issued without compliance with sections
         29 and 30; and
     (b) the non-compliance poses a significant risk to persons
         reasonably relying on the certificate.
30                         Laws of Malaysia                       ACT 562
  (2) Before making a determination under subsection (1), the
Commission shall give the licensed certification authority and the
subscriber a reasonable opportunity of being heard.

  (3) Notwithstanding subsections (1) and (2), where in the opinion
of the Commission there exists an emergency that requires an
immediate remedy, the Commission may, after consultation with
the Minister, suspend a certificate for a period not exceeding forty-
eight hours.

                               CHAPTER 2

              Warranties and obligations of licensed
                    certification authorities

Warranties to subscriber

34. (1) By issuing a certificate, a licensed certification authority
warrants to the subscriber named in the certificate that—
     (a) the certificate contains no information known to the licensed
         certification authority to be false;
     (b) the certificate satisfies all the requirements of this Act;
         and
     (c) the licensed certification authority has not exceeded any
         limits of its licence in issuing the certificate.

  (2) A licensed certification authority shall not disclaim or limit
the warranties under subsection (1).

Continuing obligations to subscriber

35. Unless the subscriber and licensed certification authority
otherwise agree, a licensed certification authority, by issuing a
certificate, promises to the subscriber—
     (a) to act promptly to suspend or revoke a certificate in
         accordance with Chapter 5 or 6; and
     (b) to notify the subscriber within a reasonable time of any
         facts known to the licensed certification authority which
         significantly affect the validity or reliability of the certificate
         once it is issued.
                          Digital Signature                          31
Representations upon issuance

36. By issuing a certificate, a licensed certification authority
certifies to all who reasonably rely on the information contained
in the certificate that—
     (a) the information in the certificate and listed as confirmed
         by the licensed certification authority is accurate;
     (b) all information foreseeably material to the reliability of
         the certificate is stated or incorporated by reference within
         the certificate;
      (c) the subscriber has accepted the certificate; and
     (d) the licensed certification authority has complied with all
         applicable laws governing the issuance of the certificate.

Representations upon publication

37. By publishing a certificate, a licensed certification authority
certifies to the repository in which the certificate is published and
to all who reasonably rely on the information contained in the
certificate that the licensed certification authority has issued the
certificate to the subscriber.


                              CHAPTER 3

           Representations and duties upon acceptance
                          of certificate

Implied representations by subscriber

38. By accepting a certificate issued by a licensed certification
authority, the subscriber listed in the certificate certifies to all who
reasonably rely on the information contained in the certificate
that—
     (a) the subscriber rightfully holds the private key corresponding
         to the public key listed in the certificate;
     (b) all representations made by the subscriber to the licensed
         certification authority and material to information listed
         in the certificate are true; and
32                        Laws of Malaysia                     ACT 562
      (c) all material representations made by the subscriber to a
          licensed certification authority or made in the certificate
          and not confirmed by the licensed certification authority
          in issuing the certificate are true.

Representations by agent of subscriber

39. By requesting on behalf of a principal the issuance of a
certificate naming the principal as subscriber, the requesting person
certifies in that person’s own right to all who reasonably rely on
the information contained in the certificate that the requesting
person—
     (a) holds all authority legally required to apply for issuance
         of a certificate naming the principal as subscriber; and
     (b) has authority to sign digitally on behalf of the principal,
         and, if that authority is limited in any way, adequate
         safeguards exist to prevent a digital signature exceeding
         the bounds of the person’s authority.

Disclaimer or indemnity limited

40. No person may disclaim or contractually limit the application
of this Chapter, nor obtain indemnity for its effects, if the disclaimer,
limitation or indemnity restricts liability for misrepresentation as
against persons reasonably relying on the certificate.

Indemnification of licensed certification authority by subscriber

41. (1) By accepting a certificate, a subscriber undertakes to
indemnify the issuing licensed certification authority for any loss
or damage caused by issuance or publication of the certificate in
reliance on—
     (a) a false and material representation of fact by the subscriber;
         or
     (b) the failure by the subscriber to disclose a material fact,

if the representation or failure to disclose was made either with
intent to deceive the licensed certification authority or a person
relying on the certificate, or with negligence.
                          Digital Signature                          33
   (2) Where the licensed certification authority issued the certificate
at the request of one or more agents of the subscriber, the agent
or agents personally undertake to indemnify the licensed certification
authority under this section, as if they were accepting subscribers
in their own right.

  (3) The indemnity provided in this section shall not be disclaimed
or contractually limited in scope.

Certification of accuracy of information given

42. In obtaining information of the subscriber material to the
issuance of a certificate, the licensed certification authority may
require the subscriber to certify the accuracy of relevant information
under oath or affirmation.


                              CHAPTER 4

                       Control of private key

Duty of subscriber to keep private key secure

43. By accepting a certificate issued by a licensed certification
authority, the subscriber named in the certificate assumes a duty
to exercise reasonable care to retain control of the private key and
prevent its disclosure to any person not authorized to create the
subscriber’s digital signature.

Property in private key

44. A private key is the personal property of the subscriber who
rightfully holds it.

Licensed certification authority to be fiduciary if holding
subscriber’s private key

45. Where a licensed certification authority holds the private key
corresponding to a public key listed in a certificate which it has
issued, the licensed certification authority shall hold the private
key as a fiduciary of the subscriber named in the certificate, and
may use that private key only with the subscriber’s prior written
34                        Laws of Malaysia                   ACT 562
approval, unless the subscriber expressly and in writing grants the
private key to the licensed certification authority and expressly
and in writing permits the licensed certification authority to hold
the private key according to other terms.


                             CHAPTER 5

                     Suspension of certificate

Suspension of certificate by issuing licensed certification authority

46. (1) Unless the licensed certification authority and the subscriber
agree otherwise, the licensed certification authority which issued
a certificate, which is not a transactional certificate, shall suspend
the certificate for a period not exceeding forty-eight hours—
     (a) upon request by a person identifying himself as the
         subscriber named in the certificate, or as a person in a
         position likely to know of a compromise of the security
         of a subscriber’s private key, such as an agent, business
         associate, employee or member of the immediate family
         of the subscriber; or
     (b) by order of the Commission under section 33.

  (2) The licensed certification authority shall take reasonable
measures to check the identity or agency of the person requesting
suspension.

Suspension of certificate by Commission or court

47. (1) Unless the certificate provides otherwise or the certificate
is a transactional certificate, the Commission or a court may suspend
a certificate issued by a licensed certification authority for a period
of forty-eight hours, if—
     (a) a person identifying himself as the subscriber named in
         the certificate or as an agent, business associate, employee
         or member of the immediate family of the subscriber
         requests suspension; and
     (b) the requester represents that the licensed certification
         authority which issued the certificate is unavailable.
                         Digital Signature                         35
  (2) The Commission or court may require the person requesting
suspension to provide evidence, including a statement under oath
or affirmation regarding his identity and authorization, and the
unavailability of the issuing licensed certification authority, and
may decline to suspend the certificate in its discretion.

  (3) The Commission or other law enforcement agency may
investigate suspensions by the Commission or court for possible
wrongdoing by persons requesting suspension.

Notice of suspension

48. (1) Immediately upon suspension of a certificate by a licensed
certification authority, the licensed certification authority shall
publish a signed notice of the suspension in the repository specified
in the certificate for publication of notice of suspension.

  (2) Where one or more repositories are specified, the licensed
certification authority shall publish signed notices of the suspension
in all such repositories.

   (3) Where any repository specified no longer exists or refuses
to accept publication, or if no such repository is recognized under
section 68, the licensed certification authority shall also publish
the notice in a recognized repository.

  (4) Where a certificate is suspended by the Commission or a
court, the Commission or court shall give notice as required in this
section for a licensed certification authority provided that the
person requesting suspension pays in advance any prescribed fee
required by a repository for publication of the notice of suspension.

Termination of suspension initiated by request

49. A licensed certification authority shall terminate a suspension
initiated by request—
     (a) where the subscriber named in the suspended certificate
         requests termination of the suspension, only if the licensed
         certification authority has confirmed that the person
         requesting suspension is the subscriber or an agent of the
         subscriber authorized to terminate the suspension; or
36                        Laws of Malaysia                     ACT 562
     (b) where the licensed certification authority discovers and
         confirms that the request for the suspension was made
         without authorization by the subscriber.

Alternate contractual procedures

50. (1) The contract between a subscriber and a licensed certification
authority may limit or preclude requested suspension by the licensed
certification authority or may provide otherwise for termination of
a requested suspension.

  (2) Where the contract limits or precludes suspension by the
Commission or a court when the issuing licensed certification
authority is unavailable, the limitation or preclusion shall be effective
only if notice of it is published in the certificate.

Prohibition against false or unauthorized request for suspension
of certificate

51. No person shall knowingly or intentionally misrepresent to
a licensed certification authority his identity or authorization in
requesting suspension of a certificate.

Effect of suspension of certificate

52. Nothing in this Chapter shall release the subscriber from the
duty under section 43 to keep the private key secure while a
certificate is suspended.

                              CHAPTER 6
                      Revocation of certificate

Revocation on request

53. (1) A licensed certification authority shall revoke a certificate
which it issued but which is not a transactional certificate,—
     (a) upon receiving a request for revocation by the subscriber
         named in the certificate; and
     (b) upon confirming that the person requesting revocation is
         that subscriber or is an agent of that subscriber with
         authority to request the revocation.
                          Digital Signature                           37
  (2) A licensed certification authority shall confirm a request for
revocation and revoke a certificate within one business day after
receiving both a subscriber’s written request and evidence reasonably
sufficient to confirm the identity of the person requesting the
revocation or of the agent.

Revocation on subscriber’s death or dissolution

54. (1) A licensed certification authority shall revoke a certificate
which it issued—
     (a) upon receiving a certified copy of the subscriber’s death
         certificate or upon confirming by other evidence that the
         subscriber is dead; or
     (b) upon presentation of documents effecting a dissolution
         of the subscriber or upon confirming by other evidence
         that the subscriber has been dissolved or has ceased to
         exist.

Revocation of unreliable certificates

55. (1) A licensed certification authority may revoke one or more
certificates which it issued if the certificates are or become unreliable
regardless of whether the subscriber consents to the revocation and
notwithstanding any provision to the contrary in a contract between
the subscriber and the licensed certification authority.

  (2) Nothing in subsection (1) shall prevent the subscriber from
seeking damages or other relief against the licensed certification
authority in the event of wrongful revocation.

Notice of revocation

56. (1) Immediately upon revocation of a certificate by a licensed
certification authority, the licensed certification authority shall
publish a signed notice of the revocation in the repository specified
in the certificate for publication of notice of revocation.

  (2) Where one or more repositories are specified, the licensed
certification authority shall publish signed notices of the revocation
in all such repositories.
38                        Laws of Malaysia                  ACT 562
   (3) Where any repository specified no longer exists or refuses
to accept publication, or if no such repository is recognized under
section 68, the licensed certification authority shall also publish
the notice in a recognized repository.

Effect of revocation request on subscriber

57. Where a subscriber has requested for the revocation of a
certificate, the subscriber ceases to certify as provided in Chapter
3 and has no further duty to keep the private key secure as required
under section 43—
     (a) when notice of the revocation is published as required
         under section 56; or
     (b) when two business days have lapsed after the subscriber
         requests for the revocation in writing, supplies to the
         issuing licensed certification authority information
         reasonably sufficient to confirm the request, and pays
         any prescribed fee,

whichever occurs first.

Effect of notification on licensed certification authority

58. Upon notification as required under section 56, a licensed
certification authority shall be discharged of its warranties based
on issuance of the revoked certificate and ceases to certify as
provided in sections 35 and 36 in relation to the revoked certificate.


                             CHAPTER 7

                     Expiration of certificate

Expiration of certificate

59. (1) The date of expiry of a certificate shall be specified in the
certificate.

  (2) A certificate may be issued for any period not exceeding
three years from the date of issuance.
                                   Digital Signature                                        39
   (3) When a certificate expires, the subscriber and licensed
certification authority shall cease to certify as provided under this
Act and the licensed certification authority shall be discharged of
its duties based on issuance in relation to the expired certificate.

  (4) The expiry of a certificate shall not affect the duties and
obligations of the subscriber and licensed certification authority
incurred under and in relation to the expired certificate.

                                        CHAPTER 8

                Recommended reliance limits and liability

Recommended reliance limit

*60. (1) A licensed certification authority shall, in issuing a
certificate to a subscriber, specify a recommended reliance limit
in the certificate.

  (2) The licensed certification authority may specify different
limits in different certificates as it considers fit.

Liability limits for licensed certification authorities

61. Unless a licensed certification authority waives the application
of this section, a licensed certification authority—
       (a) shall not be liable for any loss caused by reliance on a
           false or forged digital signature of a subscriber, if, with
           respect to the false or forged digital signature, the licensed
           certification authority complied with the requirements of
           this Act;
       (b) shall not be liable in excess of the amount specified in
           the certificate as its recommended reliance limit for either—
                 (i) a loss caused by reliance on a misrepresentation in
                     the certificate of any fact that the licensed certification
                     authority is required to confirm; or
                (ii) failure to comply with sections 29 and 30 in issuing
                     the certificate; and
*NOTE—The Central Bank of Malaysia is exempted from the requirements of this section for the
purpose of implementing the Real-Time Electronic Transfer of Funds and Securities System or also
known as “RENTAS”–see P.U. (A) 300/1999.
40                       Laws of Malaysia                   ACT 562
     (c) shall not be liable for—
            (i) punitive or exemplary damages; or
           (ii) damages for pain or suffering.

                              PART V

                EFFECT OF DIGITAL SIGNATURE

Satisfaction of signature requirements

62. (1) Where a rule of law requires a signature or provides for
certain consequences in the absence of a signature, that rule shall
be satisfied by a digital signature where—
     (a) that digital signature is verified by reference to the public
         key listed in a valid certificate issued by a licensed
         certification authority;
     (b) that digital signature was affixed by the signer with the
         intention of signing the message; and
     (c) the recipient has no knowledge or notice that the signer—
            (i) has breached a duty as a subscriber; or
           (ii) does not rightfully hold the private key used to
                affix the digital signature.

  (2) Notwithstanding any written law to the contrary—
     (a) a document signed with a digital signature in accordance
         with this Act shall be as legally binding as a document
         signed with a handwritten signature, an affixed thumb-
         print or any other mark; and
     (b) a digital signature created in accordance with this Act
         shall be deemed to be a legally binding signature.

  (3) Nothing in this Act shall preclude any symbol from being
valid as a signature under any other applicable law.

Unreliable digital signatures

63. (1) Unless otherwise provided by law or contract, the recipient
of a digital signature assumes the risk that a digital signature is
forged, if reliance on the digital signature is not reasonable under
the circumstances.
                          Digital Signature                          41
  (2) Where the recipient determines not to rely on a digital signature
under this section, the recipient shall promptly notify the signer
of its determination not to rely on a digital signature and the
grounds for that determination.

Digitally signed message deemed to be written document

64. (1) A message shall be as valid, enforceable and effective as
if it had been written on paper if—
     (a) it bears in its entirety a digital signature; and
     (b) that digital signature is verified by the public key listed
         in a certificate which—
            (i) was issued by a licensed certification authority;
                and
           (ii) was valid at the time the digital signature was created.

  (2) Nothing in this Act shall preclude any message, document,
or record from being considered written or in writing under any
other applicable law.

Digitally signed message deemed to be original document

65. A copy of a digitally signed message shall be as valid,
enforceable and effective as the original of the message unless it
is evident that the signer designated an instance of the digitally
signed message to be a unique original, in which case only that
instance constitutes the valid, enforceable and effective message.

Authentication of digital signatures

66. A certificate issued by a licensed certification authority shall
be an acknowledgement of a digital signature verified by reference
to the public key listed in the certificate, regardless of whether
words of an express acknowledgement appear with the digital
signature and regardless of whether the signer physically appeared
before the licensed certification authority when the digital signature
was created, if that digital signature is—
     (a) verifiable by that certificate; and
     (b) affixed when that certificate was valid.
42                       Laws of Malaysia                      ACT 562
Presumptions in adjudicating disputes

67. In adjudicating a dispute involving a digital signature, a
court shall presume—
     (a) that a certificate digitally signed by a licensed certification
         authority and—
            (i) published in a recognized repository; or
           (ii) made available by the issuing licensed certification
                authority or by the subscriber listed in the certificate,
         is issued by the licensed certification authority which
         digitally signed it and is accepted by the subscriber listed
         in it;
     (b) that the information listed in a valid certificate and
         confirmed by a licensed certification authority issuing
         the certificate is accurate;
     (c) that where a digital signature is verified by the public
         key listed in a valid certificate issued by a licensed
         certification authority—
            (i) that digital signature is the digital signature of the
                subscriber listed in that certificate;
           (ii) that digital signature was affixed by that subscriber
                with the intention of signing the message; and
          (iii) the recipient of that digital signature has no
                knowledge or notice that the signer—
                  (A) has breached a duty as a subscriber; or
                  (B) does not rightfully hold the private key used
                      to affix the digital signature; and
     (d) that a digital signature was created before it was
         time-stamped by a recognized date/time stamp service
         utilizing a trustworthy system.

                               PART VI
      REPOSITORIES AND DATE/TIME STAMP SERVICES

Recognition of repositories

68. (1) The Commission may recognize one or more repositories,
after determining that a repository to be recognized satisfies the
requirements prescribed in the regulations made under this Act.
                         Digital Signature                        43
 (2) The procedure for recognition of repositories shall be as
may be prescribed by regulations made under this Act.

  (3) The Commission shall publish a list of recognized repositories
in such form and manner as it may determine.

Liability of repositories

69. (1) Notwithstanding any disclaimer by the repository or any
contract to the contrary between the repository and a licensed
certification authority or a subscriber, a repository shall be liable
for a loss incurred by a person reasonably relying on a digital
signature verified by the public key listed in a suspended or revoked
certificate, if loss was incurred more than one business day after
receipt by the repository of a request to publish notice of the
suspension or revocation, and the repository had failed to publish
the notice when the person relied on the digital signature.

  (2) Unless waived, a recognized repository or the owner or
operator of a recognized repository—
     (a) shall not be liable for failure to record publication of a
         suspension or revocation, unless the repository has received
         notice of publication and one business day has elapsed
         since the notice was received;
     (b) shall not be liable under subsection (1) in excess of the
         amount specified in the certificate as the recommended
         reliance limit;
     (c) shall not be liable under subsection (1) for—
            (i) punitive or exemplary damages; or
           (ii) damages for pain or suffering;
     (d) shall not be liable for misrepresentation in a certificate
         published by a certification authority;
     (e) shall not be liable for accurately recording or reporting
         information which a licensed certification authority, a
         court or the Commission has published as required or
         permitted under this Act, including information about the
         suspension or revocation of a certificate; and
44                       Laws of Malaysia                   ACT 562
      (f) shall not be liable for reporting information about a
          certification authority, a certificate or a subscriber, if
          such information is published as required or permitted
          under this Act or is published by order of the Commission
          in the performance of its licensing and regulatory duties
          under this Act.

Recognition of date/time stamp services

70. (1) The Commission may recognize one or more date/time
stamp services, after determining that a service to be recognized
satisfies the requirements prescribed in the regulations made under
this Act.

  (2) The procedure for recognition of date/time stamp services
shall be as may be prescribed by regulations made under this Act.

   (3) The Commission shall publish a list of recognized date/time
stamp services in such form and manner as it may determine.


                             PART VII

                             GENERAL


Prohibition against dangerous activities

71. (1) No certification authority, whether licensed or not, shall
conduct its business in a manner that creates an unreasonable risk
of loss to the subscribers of the certification authority, to persons
relying on certificates issued by the certification authority or to
a repository.

  (2) The Commission may publish in one or more recognized
repositories brief statements advising subscribers, persons relying
on digital signatures and repositories about any activities of a
certification authority, whether licensed or not, which create a risk
prohibited under subsection (1).

   (3) The certification authority named in a statement as creating
or causing a risk may protest the publication of the statement by
filing a brief written defence.
                         Digital Signature                        45
  (4) On receipt of a protest made under subsection (3), the
Commission shall publish the written defence together with the
Commission’s statement, and shall immediately give the protesting
certification authority notice and a reasonable opportunity of being
heard.

  (5) Where, after a hearing, the Commission determines that the
publication of the advisory statement was unwarranted, the
Commission shall revoke the advisory statement.

  (6) Where, after a hearing, the Commission determines that the
advisory statement is no longer warranted, the Commission shall
revoke the advisory statement.

  (7) Where, after a hearing, the Commission determines that the
advisory statement remains warranted, the Commission may continue
or amend the advisory statement and may take further legal action
to eliminate or reduce the risk prohibited under subsection (1).

  (8) The Commission shall publish its decision under subsection
(5), (6) or (7), as the case may be, in one or more recognized
repositories.

Obligation of secrecy

72. (1) Except for the purposes of this Act, no person who has
access to any record, book, register, correspondence, information,
document or other material obtained under this Act shall disclose
such record, book, register, correspondence, information, document
or other material to any other person.

  (2) A person who contravenes subsection (1) commits an offence
and shall, on conviction, be liable to a fine not exceeding one
hundred thousand ringgit or to imprisonment for a term not exceeding
two years or to both.

False information

73. A person who makes, orally or in writing, signs or furnishes
any declaration, return, certificate or other document or information
required under this Act which is untrue, inaccurate or misleading
in any particular commits an offence and shall, on conviction, be
liable to a fine not exceeding five hundred thousand ringgit or to
imprisonment for a term not exceeding ten years or to both.
46                      Laws of Malaysia                   ACT 562
Offences by body corporate
74. (1) Where a body corporate commits an offence under this
Act, any person who at the time of the commission of the offence
was a director, manager, secretary or other similar officer of the
body corporate or was purporting to act in any such capacity or
was in any manner or to any extent responsible for the management
of any of the affairs of the body corporate or was assisting in such
management—
     (a) may be charged severally or jointly in the same proceedings
         with the body corporate; and
     (b) where the body corporate is found guilty of the offence,
         shall be deemed to be guilty of that offence unless, having
         regard to the nature of his functions in that capacity and
         to all circumstances, he proves—
            (i) that the offence was committed without his
                knowledge, consent or connivance; and
           (ii) that he took all reasonable precautions and had
                exercised due diligence to prevent the commission
                of the offence.

  (2) Where any person would be liable under this Act to any
punishment or penalty for any act, omission, neglect or default,
he shall be liable to the same punishment or penalty for every such
act, omission, neglect or default of any employee or agent of his,
or of the employee of such agent, if such act, omission, neglect
or default was committed—
     (a) by his employee in the course of his employment;
     (b) by the agent when acting on his behalf; or
     (c) by the employee of such agent in the course of his
         employment by such agent or otherwise on behalf of the
         agent.

Authorized officer
75. (1) The Minister may in writing authorize any public officer
or officer of the Commission to exercise the powers of enforcement
under this Act.

  (2) Any officer authorized under subsection (1) shall be deemed
to be a public servant within the meaning of the Penal Code
[Act 574].
                         Digital Signature                         47
  (3) In exercising any of the powers of enforcement under this
Act, an authorized officer shall on demand produce to the person
against whom he is acting the authority issued to him by the
Minister.

Enforcement by police officers

75A. (1) Notwithstanding subsection 75(1), any police officer not
below the rank of Inspector shall have and may exercise the powers
of enforcement conferred by this Act on an authorized officer.

  (2) In exercising any of the powers of enforcement conferred
under this Act on a police officer not below the rank of Inspector,
such police officer shall, if not in uniform, on demand declare his
office and produce to the person against whom he is acting the
authority card as the Inspector General of Police may direct to be
carried by such police officer.

Power to investigate

76. (1) The Commission may investigate the activities of a
certification authority material to its compliance with this Act.

   (2) For the purposes of subsection (1), the Commission may
issue orders to a certification authority to further its investigation
and secure compliance with this Act.

  (3) Further, in any case relating to the commission of an offence
under this Act, any authorized officer carrying on an investigation
may exercise all or any of the special powers in relation to police
investigation in seizable cases given by the Criminal Procedure
Code [Act 593].

Search by warrant

77. (1) If it appears to a Magistrate, upon written information on
oath and after such inquiry as he considers necessary, that there
is reasonable cause to believe that an offence under this Act is
being or has been committed on any premises, the Magistrate may
issue a warrant authorizing any police officer not below the rank
of Inspector, or any authorized officer named therein, to enter the
48                        Laws of Malaysia                     ACT 562
premises at any reasonable time by day or by night, with or without
assistance and if need be by force, and there to search for and
seize—
     (a) copies of any books, accounts or other documents, including
         computerized data, which contain or are reasonably
         suspected to contain information as to any offence so
         suspected to have been committed;
     (b) any signboard, card, letter, pamphlet, leaflet, notice or
         other device representing or implying that the person is
         a licensed certification authority; and
      (c) any other document, article or item that is reasonably
          believed to furnish evidence of the commission of such
          offence.

   (2) A police officer or an authorized officer conducting a search
under subsection (1) may, if in his opinion it is reasonably necessary
to do so for the purpose of investigating into the offence, search
any person who is in or on such premises.

   (3) A police officer or an authorized officer making a search of
a person under subsection (2) may seize, detain or take possession
of any book, accounts, document, computerized data, card, letter,
pamphlet, leaflet, notice, device, article or item found on such
person for the purpose of the investigation being carried out by
such officer.

  (4) No female person shall be searched under this section except
by another female person.

   (5) Where, by reason of its nature, size or amount, it is not
practicable to remove any book, accounts, document, computerized
data, signboard, card, letter, pamphlet, leaflet, notice, device, article
or item seized under this section, the seizing officer shall, by any
means, seal such book, accounts, document, computerized data,
signboard, card, letter, pamphlet, leaflet, notice, device, article or
item in the premises or container in which it is found.

   (6) A person who, without lawful authority, breaks, tampers
with or damages the seal referred to in subsection (5) or removes
any book, accounts, document, computerized data, signboard, card,
letter, pamphlet, leaflet, notice, device, article or item under seal
or attempts to do so commits an offence.
                         Digital Signature                       49
Search and seizure without warrant

78. If a police officer not below the rank of Inspector in any of
the circumstances referred to in section 77 has reasonable cause
to believe that by reason of delay in obtaining a search warrant
under that section the investigation would be adversely affected
or evidence of the commission of an offence is likely to be tampered
with, removed, damaged or destroyed, such officer may enter such
premises and exercise in, upon and in respect of the premises all
the powers referred to in section 77 in as full and ample a manner
as if he were authorized to do so by a warrant issued under that
section.

Access to computerized data

79. (1) A police officer conducting a search under section 77 or
78 or an authorized officer conducting a search under section 77
shall be given access to computerized data whether stored in a
computer or otherwise.

  (2) For the purposes of this section, “access” includes being
provided with the necessary password, encryption code, decryption
code, software or hardware and any other means required to enable
comprehension of computerized data.

List of things seized

80. (1) Except as provided in subsection (2), where any book,
accounts, document, computerized data, signboard, card, letter,
pamphlet, leaflet, notice, device, article or item is seized under
section 77 or 78, the seizing officer shall prepare a list of the
things seized and immediately deliver a copy of the list signed by
him to the occupier of the premises which have been searched, or
to his agent or servant, at those premises.

  (2) Where the premises are unoccupied, the seizing officer shall
whenever possible post a list of the things seized conspicuously
on the premises.

Obstruction of authorized officer

81. Any person who obstructs, impedes, assaults or interferes
with any authorized officer in the performance of his functions
under this Act commits an offence.
50                        Laws of Malaysia                     ACT 562
Additional powers

82. An authorized officer shall, for the purposes of the execution
of this Act, have power to do all or any of the following:
     (a) to require the production of records, accounts, computerized
         data and documents kept by a licensed certification authority
         and to inspect, examine and copy any of them;
     (b) to require the production of any identification document
         from any person in relation to any case or offence under
         this Act;
      (c) to make such inquiry as may be necessary to ascertain
          whether the provisions of this Act have been complied
          with.

General penalty

83. (1) A person who commits an offence under this Act for
which no penalty is expressly provided shall, on conviction, be
liable to a fine not exceeding two hundred thousand ringgit or to
imprisonment for a term not exceeding four years or to both, and
in the case of a continuing offence shall in addition be liable to
a daily fine not exceeding two thousand ringgit for each day the
offence continues to be committed.

  (2) For the purposes of this section, “this Act” does not include
the regulations made under this Act.

Recovery of procedural costs

84. Where the Commission finds that a certification authority
has contravened this Act, the Commission may order the certification
authority to pay the costs incurred by the Commission in prosecution
and adjudication proceedings in relation to the order and in enforcing
it.

No costs or damages arising from seizure to be recoverable

85. No person shall, in any proceedings before any court in
respect of the seizure of any book, accounts, document, computerized
data, signboard, card, letter, pamphlet, leaflet, notice, device, article
or item seized in the exercise or the purported exercise of any
                        Digital Signature                        51
power conferred under this Act, be entitled to the costs of such
proceedings or to any damages or other relief unless such seizure
was made without reasonable cause.

Institution and conduct of prosecution

86. (1) No prosecution for or in relation to any offence under this
Act shall be instituted without the written consent of the Public
Prosecutor.

  (2) Any officer of the Commission duly authorized in writing
by the Public Prosecutor may conduct the prosecution for any
offence under this Act.

Jurisdiction to try offences

87. Notwithstanding any written law to the contrary, a Court of
a Magistrate of the First Class shall have jurisdiction to try any
offence under this Act and to impose the full punishment for any
such offence.

Protection of Commission and officers

88. No action or prosecution shall be brought, instituted or
maintained in any court against—
     (a) the Commission or any officer duly authorized under this
         Act for or on account of or in respect of any act ordered
         or done for the purpose of carrying into effect this Act;
         and
     (b) any other person for or on account of or in respect of any
         act done or purported to be done by him under the order,
         direction or instruction of the Commission or any officer
         duly authorized under this Act if the act was done in
         good faith and in a reasonable belief that it was necessary
         for the purpose intended to be served thereby.

Power to exempt

89. (1) The Minister may, by order published in the Gazette,
exempt any person or class of persons from all or any of the
provisions of this Act, except section 4.
52                      Laws of Malaysia                    ACT 562
   (2) The Minister may impose any terms and conditions as he
thinks fit on any exemption under subsection (1).

Limitation on disclaiming or limiting application of Act

90. Unless it is expressly provided for under this Act, no person
may disclaim or contractually limit the application of this Act.

Regulations

91. (1) The Minister may make regulations for all or any of the
following purposes:
     (a) prescribing the qualification requirements for certification
         authorities;
     (b) prescribing the manner of applying for licences and
         certificates under this Act, the particulars to be
         supplied by an applicant, the manner of licensing and
         certification, the fees payable therefor, the conditions
         or restrictions to be imposed and the form of licences
         and certificates;
     (c) regulating the operations of licensed certification
         authorities;
     (d) prescribing the requirements for the content, form and
         sources of information in certification authority disclosure
         records, the updating and timeliness of such information
         and other practices and policies relating to certification
         authority disclosure records;
     (e) prescribing the form of certification practice statements;
     (f) prescribing the qualification requirements for auditors
         and the procedure for audits;
     (g) prescribing the requirements for repositories and the
         procedure for recognition of repositories;
     (h) prescribing the requirements for date/time stamp services
         and the procedure for recognition of date/time stamp
         services;
                          Digital Signature                          53
      (i) prescribing the procedure for the review of software for
          use in creating digital signatures and of the applicable
          standards in relation to digital signatures and certification
          practice and for the publication of reports on such software
          and standards;
      (j) prescribing the forms for the purposes of this Act;
      (k) prescribing the fees and charges payable under this Act
          and the manner for collecting and disbursing such fees
          and charges;
      (l) providing for such other matters as are contemplated by,
          or necessary for giving full effect to, the provisions of
          this Act and for their due administration.

   (2) Regulations made under subsection (1) may prescribe any
act in contravention of the regulations to be an offence and may
prescribe penalties of a fine not exceeding one hundred thousand
ringgit or imprisonment for a term not exceeding two years or
both.

Savings and transitional

92. (1) A certification authority that has been carrying on or operating
as a certification authority before the commencement of this Act
shall, not later than three months from such commencement, obtain
a licence under this Act.

   (2) Where a certification authority referred to in subsection (l)
fails to obtain a licence after the period prescribed in subsection
(1), it shall be deemed to be an unlicensed certification authority
and the provisions of this Act shall apply to it and the certificates
issued by it accordingly.

  (3) Where a certification authority referred to in subsection (1)
has obtained a licence in accordance with this Act within the
period prescribed in subsection (1), all certificates issued by such
certification authority before the commencement of this Act, to
the extent that they are not inconsistent with this Act, shall be
deemed to have been issued under this Act and shall have effect
accordingly.
54                     Laws of Malaysia                ACT 562
                    LAWS OF MALAYSIA

                            Act 562

                DIGITAL SIGNATURE ACT 1997


                     LIST OF AMENDMENTS


 Amending law               Short title            In force from

 Act A1121         Digital Signature (Amendment)   01-11-2001
                   Act 2001
                          Digital Signature                    55
                     LAWS OF MALAYSIA

                                Act 562

            DIGITAL SIGNATURE ACT 1997


                  LIST OF SECTIONS AMENDED


Section                    Amending authority      In force from

2                              Act A1121           01-11-2001
PART II                        Act A1121           01-11-2001
3                              Act A1121           01-11-2001
8                              Act A1121           01-11-2001
9                              Act A1121           01-11-2001
20                             Act A1121           01-11-2001
21                             Act A1121           01-11-2001
24                             Act A1121           01-11-2001
47                             Act A1121           01-11-2001
68                             Act A1121           01-11-2001
69                             Act A1121           01-11-2001
70                             Act A1121           01-11-2001
71                             Act A1121           01-11-2001
75                             Act A1121           01-11-2001
75A                            Act A1121           01-11-2001
88                             Act A1121           01-11-2001
Throughout the Act             Act A1121           01-11-2001
the word
“Commission” is
substituted for
“Controller”




DICETAK OLEH
PERCETAKAN NASIONAL MALAYSIA BERHAD,
KUALA LUMPUR
BAGI PIHAK DAN DENGAN PERINTAH KERAJAAN MALAYSIA

				
DOCUMENT INFO
Shared By:
Stats:
views:13
posted:1/2/2011
language:English
pages:55
Description: Digital Signature (also known as public key digital signature, electronic signature) is a common written on paper similar to the physical signatures, but the field using the public key encryption technology, used to identify digital information. A digital signature is usually defined two complementary operations, one for signing and one for validation.